#openstack-meeting-4 log

14:00:05 <njohnston> #startmeeting fwaas
14:00:08 <openstack> Meeting started Tue Jan 17 14:00:05 2017 UTC and is due to finish in 60 minutes.  The chair is njohnston. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:10 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:12 <openstack> The meeting name has been set to 'fwaas'
14:00:30 <yushiro> Hi!
14:00:31 <njohnston> #chair xgerman yushiro SridarK
14:00:40 <openstack> Warning: Nick not in channel: SridarK
14:00:41 <njohnston> Good morning FWaaS friends
14:00:41 <openstack> Current chairs: SridarK njohnston xgerman yushiro
14:00:45 <xgerman> o/
14:00:52 <njohnston> Let's wait a moment for everyone to arrive
14:00:54 <SarathMekala> Hi all O/
14:00:58 <hoangcx> hi all
14:01:02 <tuhv> hi,
14:01:05 <chandanc_> Hello all
14:02:08 <njohnston> ok, let's get started
14:02:18 <njohnston> #topic Stadium Compliance
14:02:28 <njohnston> We had a huge set of merges last week
14:02:35 <yushiro> Yes.
14:02:38 <njohnston> congratulations all - just about everything is now done!
14:02:51 <xgerman> + 1
14:03:04 <yushiro> Thank you
14:03:04 <njohnston> api definitions are now merged into neutron-lib, as is the api-ref and the OSC
14:03:36 <njohnston> neutron-lib was just released, so this morning I will spin a patch to migrate to using the neutron-lib api definition
14:04:07 <njohnston> The only thing left to do is something that I can now start looking at, which is the fullstack work - as soon as the python-neutronclient release happens
14:04:24 <xgerman> awesome
14:04:27 <njohnston> anything else on the Stadium?
14:04:49 <SridarK> Hi All Sorry to be late connectivity issues
14:04:53 <yushiro> Hi SridarK :)
14:04:56 <njohnston> no problem SridarK!
14:05:30 <njohnston> OK, so that covers the Neutron Stadium.  Next up...
14:05:35 <njohnston> #topic FWaaS v2
14:06:02 <njohnston> #link https://review.openstack.org/348177  neutron: IPtables enhancement for co-existence of SG and FWaaS v2 drivers (Chandan/Sarath)
14:06:15 <njohnston> I saw you spun a new patchset for this
14:06:18 <njohnston> can
14:06:21 <njohnston> chandanc
14:06:23 <njohnston> (sorry)
14:06:34 <njohnston> looks like it is still having issues with the tests
14:06:47 <chandanc_> ya, i was able to do some tests with the patch
14:06:54 <njohnston> I worked a bit this weekend on sorting out the output of the iptables dump to figure out the differences
14:07:01 <njohnston> it's difficult
14:07:16 <chandanc_> njohnston, i am mostly done with the UTs
14:07:26 <chandanc_> will be sending a patch with the fixes
14:07:39 <chandanc_> mostly by today
14:07:44 <njohnston> Super!
14:07:47 <SridarK> chandanc_: great
14:08:03 <chandanc_> ya, actually i was ablr to run some tests with fwaas-v1
14:08:09 <chandanc_> that help a lot
14:08:27 <njohnston> excellent
14:08:32 <SridarK> with this hopefully we can quickly move fwd on L2 integration
14:08:35 <xgerman> +1
14:08:37 <njohnston> reminder: next week is feature freeze for Ocata
14:08:42 <chandanc_> i might still ask for some help in testing, will send a mail with the details
14:08:51 <njohnston> so if you need any help please reach out sooner rather than later
14:08:55 <xgerman> +1
14:09:06 <SridarK> how quickly time flies esp on a shorter cycle :-(
14:09:08 <chandanc_> yes, will do
14:09:21 <yushiro> yes very shorter..
14:09:38 <njohnston> next is
14:09:39 <njohnston> #link https://review.openstack.org/361071 neutron-fwaas: FWaaS v2 driver for L2 ports (Chandan/Sarath)
14:09:48 <njohnston> I believe I saw a PS from padkrish there
14:10:07 <njohnston> er, no, I am wrong, it was
14:10:07 <njohnston> #link https://review.openstack.org/323971  neutron-fwaas: FWaaS v2 extension for L2 agent (Yushiro/Paddu)
14:10:09 <SridarK> no that was for the L2 agent
14:10:42 <chandanc_> i had a look at the L2 patch as well, the patch looks good in terms of UT but will come to know once integration begins
14:11:06 <njohnston> So let's talk about the driver - once the neutron change happens, is this pretty much ready to go?
14:11:45 <chandanc_> it seems nearly, but more when i can git it a test run
14:11:50 <SridarK> chandanc_: since we cannot create dependency, perhaps we need to handcraft something for some manually testing
14:12:29 <chandanc_> SridarK, please let me know if you have some idea on the test part, it will be of help
14:12:58 <SridarK> chandanc_: yes we can focus on functional correctness as step 1
14:13:11 <chandanc_> ya agree
14:13:30 <SridarK> chandanc_: we can discuss some more on this
14:13:40 <chandanc_> sure
14:13:43 <njohnston> ok
14:13:54 <SridarK> chandanc_: will ping u later
14:13:58 <reedip_> hi
14:14:05 <reedip_> did I miss anything
14:14:06 <chandanc_> sure SridarK
14:14:10 <SridarK> reedip_: hi
14:14:15 <yushiro> hi reedip_
14:14:17 <xgerman> hi
14:14:21 <njohnston> and switching back to the L2 extension, how does that look yushiro?  SridarK, any recent communications from padkrish?
14:14:42 <SridarK> njohnston: yes padkrish made some updates
14:15:23 <SridarK> yushiro: sorry i could not sync with u last week but we can set a time today eve (Pacific) and ur Wed morn
14:15:47 <yushiro> SridarK, njohnston, I'm testing/editting l2 agent patch on my local devstack now.  OK!
14:15:50 <SridarK> i will ping padkrish for a time and let u know - we can try to close out any remaining pieces quickly
14:16:03 <njohnston> excellent
14:16:04 <yushiro> SridarK, Sure.
14:16:20 <SridarK> once this is in we can be ready for the L2 driver piece
14:16:52 <njohnston> anything else on FWaaS v2?
14:17:20 <njohnston> #topic neutron-lib
14:17:54 <njohnston> Not much to say here, just that with the release of neutron-lib there'll be a patch or two that start making use of things we have added to it.
14:18:37 <xgerman> yeah!
14:18:37 <njohnston> Not really pushing anything else forward in neutron-lib at the moment; once Ocata is locked I will update the punchlist.
14:19:08 <njohnston> moving on
14:19:09 <njohnston> #topic performance improvement for v1
14:19:23 <tuhv> hi
14:19:35 <njohnston> tuhv: you have the floor
14:19:46 <tuhv> i updated my patch to be independent on Neutron
14:19:55 <tuhv> it is ready for review
14:20:08 <njohnston> excellent, I will take a look at it, probably tomorrow
14:20:15 <yushiro> tuhv, Sure. will do tomorrow.
14:20:17 <tuhv> thanks
14:20:32 <njohnston> thanks for the link to the testing scripts that you put in the meeting notes, that is very helpful
14:20:41 <tuhv> you can take my guide on github
14:20:52 <tuhv> njohnston, thanks
14:21:01 <hoangcx> njohnston, It is really appreciated.
14:21:03 <njohnston> #link https://github.com/uttu90/FWaaSNetlink - Reference scripts for testing netlink performance
14:21:25 <njohnston> OK, next up
14:21:29 <njohnston> #topic bugs
14:21:53 <njohnston> yushiro has been finding a number of bugs - an outstanding effort, to be sure
14:22:10 <yushiro> njohnston, You're welcome.  Please talk about some bugs.
14:22:14 <SridarK> yushiro: nice
14:22:27 <SarathMekala> +1 Great
14:22:28 <njohnston> yushiro: You've detailed these in the meeting notes, I think my first question is, have you files bug reports in Launchpad for these?
14:22:31 <xgerman> +1
14:22:38 <reedip_> Yes, I get an email everyday from Launchpad that yushiro logged a bug ;)
14:22:58 <njohnston> :-)
14:23:22 <njohnston> yushiro: If you have created changes to fix these could you link to them as well?
14:23:23 <yushiro> njohnston, 1, 2 not yet.  Regarding 1, I need agreement.
14:23:30 <njohnston> To go through the bugs:
14:23:37 <njohnston> 1. Default parameter of 'protocol' in firewall-rule is 'ICMP' (It seems 'tcp' is more useful)
14:23:52 <njohnston> I agree that if there is to be a default, tcp should be the default.
14:23:57 <xgerman> +1
14:24:07 <SarathMekala> +1
14:24:15 <yushiro> njohnston, Thanks.  So, we need to file bug-report about '1'
14:24:23 <xgerman> yep
14:24:34 <reedip_> TCP makes more sense
14:24:38 <SridarK> yushiro: do u recall if this behavior is spilling over from v1 ?
14:25:28 <yushiro> SridarK, hmm, sorry I verified only v2
14:25:40 <yushiro> SridarK, I'll check the behavior on v1.
14:25:40 <SridarK> yushiro: np - will take a look
14:25:53 <njohnston> Ok, so we might check v1 if we have time, but more important to fix it in v2
14:26:08 <njohnston> Bug 2. 'public' visibility does not run correctly: non-admin user cannot see 'public' resource.
14:26:32 <SarathMekala> I have a v1 setup.. will check and confirm
14:26:33 <njohnston> this seems like a significant problem
14:26:38 <yushiro> njohnston, Thanks.  I think bug2 is definitely bug.(not filed bug-report)
14:26:57 <SridarK> hmm indeed this is a serious issue
14:27:05 <SridarK> SarathMekala: ok thx
14:27:06 <xgerman> +1
14:27:25 <xgerman> not sure if that would be fixed by policy.json?
14:27:43 <yushiro> xgerman, regarding bug2, not fixed.
14:27:49 <xgerman> ok
14:27:56 <njohnston> I doubt that it is a policy.json issue
14:28:09 <yushiro> njohnston, I think so too.
14:28:48 <njohnston> so definitely file a bug for this and we can work on it urgently
14:29:20 <SridarK> yushiro: in what u have seen - do u think we are missing some validation logic for this ?
14:29:25 <xgerman> we should check with policy
14:29:32 <xgerman> it seems we have a rule for that
14:29:44 <SridarK> yes i am wondering too
14:29:46 <yushiro> SridarK, sorry.  about bug2?
14:29:58 <xgerman> "get_firewall": "rule:admin_or_owner or rule:shared_firewalls",
14:30:14 <SridarK> yushiro: yes Bug2
14:30:17 <xgerman> yes
14:30:36 <njohnston> yes anyone should be able to get a shared firewall
14:30:49 <njohnston> so it might be as easy as fixing that, that is good
14:30:49 <yushiro> SridarK, sorry, I'm not sure.  will check fwaas source code.
14:31:04 <SridarK> yushiro: np - i will check too on this
14:31:17 <njohnston> Bug 3. Firewall policy and rule are not enforced policy (Non-admin user can create 'firewall_policy' or 'firewall_rule' with 'public' attribute)
14:31:32 <njohnston> Yushiro notes:
14:31:49 <njohnston> I applied https://review.openstack.org/#/c/404942/  but not changed.  Result is as follows:
14:31:49 <njohnston> - firewall_group: http://paste.openstack.org/show/595195/
14:31:49 <njohnston> - firewall_policy: http://paste.openstack.org/show/595198/
14:31:51 <njohnston> - firewall_rule: http://paste.openstack.org/show/595196/
14:32:10 <reedip_> njohnston  : so a non-admin user cannot create shared firewall_rule/policy ?
14:32:25 <yushiro> Regarding bug3, I checked applying xgerman's patch and not applying patch but unfortunately, it was same result.
14:32:37 <xgerman> :-(
14:32:48 <SridarK> i am wondering if we have some relation to Bug2
14:32:53 <njohnston> reedip_: correct, the way we have implemented it right now, you need to be admin to create a shared firewall_policy or firewall_rule
14:33:21 <xgerman> yep, I changed a scenario test to update something less cintentious
14:33:30 <yushiro> Why the result is different b/w firewall_group and other resources...
14:33:45 <xgerman> probably a bug in the policy?
14:35:20 <njohnston> and finally 4 is for OSC problems
14:35:20 <yushiro> xgerman, regarding bug3, maybe policy's bug but I'm not sure currently.
14:35:41 <xgerman> yeah, I am a bit confused as well…
14:35:43 <njohnston> Bug 4.1. Cannot get 'ports' attributes from firewall_group (Even if OSC plugin fixed, current firewall_group doesn't have 'ports' attributes in GET response. https://bugs.launchpad.net/neutron/+bug/1640395 relates this situation.
14:35:43 <openstack> Launchpad bug 1640395 in neutron "Missing 'ports' attribute when GET firewall-groups" [Low,Confirmed] - Assigned to Sridar Kandaswamy (skandasw)
14:36:10 <yushiro> njohnston, so sorry!!  Regarding OSC problems, I'll post PS ASAP :)
14:36:31 <njohnston> no problem yushiro, I am just glad you found these!
14:36:34 <SridarK> ok let me refresh my memory on what is going on with 4.1
14:37:48 <SridarK> yushiro: did u already do some work on 4.1 or i can work on it today
14:37:51 <njohnston> and Bug 4.2. Cannot get 'firewall_rules' attributes from firewall_policy
14:38:14 <njohnston> yushiro mentioned in the meeting notes that he already has a PS to address 4.1 and 4.2.
14:38:15 <SarathMekala> Sorry I got disconnected in between
14:38:24 <njohnston> yushiro: Could you send a link?
14:38:25 <yushiro> SridarK, Yes  4.1 and 4.2, I've already created PS(UT not yet)
14:38:36 <SridarK> yushiro: ok
14:38:47 <yushiro> njohnston, sorry, In my local environment not posted yet.
14:38:57 <SridarK> yushiro: ah ok
14:39:10 <njohnston> OK, as soon as you upload it could you ping the url in the #openstack-fwaas channel?
14:39:43 <reedip_> is there an FWaaS Channel :O
14:39:44 <yushiro> 4.1 and 4.2's cause were  typo and missing argument into some methods.
14:40:00 <yushiro> njohnston, Sure.
14:40:06 <SridarK> yushiro: ok perfect, we can get these in quickly
14:40:20 <SridarK> perhaps when u start ur day
14:40:34 <njohnston> We should end up with unit/fullstack/tempest tests for each of these (as appropriate) but I do not think we need to have those right now, we could add them after Ocata is frozen.  I would rather go without a tempest test but get fwaas v2 delivered than the other way around.
14:40:49 <xgerman> +1
14:40:49 <SridarK> njohnston: huge +1
14:41:02 <yushiro> +++1
14:41:07 <SridarK> and we do have some more time with bugs
14:41:26 <yushiro> SridarK, yes
14:41:49 <reedip_> https://bugs.launchpad.net/neutron/+bug/1657084
14:41:49 <openstack> Launchpad bug 1657084 in neutron "[RFE]Add time period attribute to firewall_rule" [Undecided,New] - Assigned to zhaobo (zhaobo6)
14:41:57 <reedip_> This was logged recently
14:42:12 <reedip_> I had a similar bug for v1 but it was declined at that time
14:42:34 <njohnston> reedip_: Interesting, I will take a look at that
14:42:51 <yushiro> reedip_, thanks for your information.
14:43:04 <SarathMekala> I think it becomes a little tricky with iptables
14:43:15 <SarathMekala> we need to use an iptable extension for time periods
14:43:16 <SridarK> this will need some work possible to effect this - more a featurette
14:43:34 <SridarK> i would say lets look at it for Pike
14:43:34 <reedip_> njohnston, yushiro : I had one feature for FwaaS v1 ; https://review.openstack.org/#/c/236840/
14:43:49 <reedip_> That was shot down earlier, wanted to know if it can be put forward
14:44:13 <njohnston> SarathMekala: I don't think we would encode the time period data in iptables; I think neutron-fwaas, as the orchestration engine for iptables, would nee dto track the time and add/remove at the specified time intervals.
14:44:46 <SridarK> reedip_: perhaps we can look at it with a v2 lens ?
14:44:49 <yushiro> reedip_, OK. I'll take a look.  thanks.
14:45:09 <reedip_> SridarK : Exactly thats what I wanted.
14:45:09 <SarathMekala> njohnston, yes can be done this way as well.. iptables also have a provision for the same
14:45:16 <SridarK> we are on the path to deprecate v1
14:45:31 <SridarK> reedip_: ok perfect, so for Pike ?
14:45:44 <SridarK> surely we can discuss it
14:45:45 <reedip_> SridarK : There is no LIKE option in xchat :P
14:45:56 <njohnston> Any other bugs to bring up?
14:46:08 <SridarK> reedip_: :-)
14:46:09 <reedip_> yes, for Pike. I will log it as a bug and it can be discussed
14:46:15 <xgerman> k
14:46:27 <SarathMekala> yushiro,SridarK : Checked V1.. TCP is the default option for protocol
14:46:46 <SridarK> ah perfect thx SarathMekala
14:46:47 <yushiro> SarathMekala: Thanks!  will file a bug report.
14:47:10 <SarathMekala> yushiro, one question for you
14:47:20 <SarathMekala> in V2 enabled has been renamed to public right?
14:47:40 <SarathMekala> sorry *shared
14:47:53 <yushiro> SarathMekala, Yes, changed from 'shared' to 'public'.
14:48:02 <SarathMekala> I think there is a bug in the CLI
14:48:12 <SarathMekala> it still shows shared
14:48:51 <yushiro> SarathMekala, Is CLI OSC plugin? (like 'openstack firewall group show fwg1)
14:48:52 <SarathMekala> [--tenant-id TENANT_ID] [--shared] [--name NAME]
14:48:55 <SarathMekala> snipeet of the line
14:49:14 <xgerman> let’s file a bug. Should be easy fix
14:49:22 <SarathMekala> no.. am trying out neutron firewall-create-rule
14:50:07 <yushiro> SarathMekala, aha, I understood.  fwaas v2 can only retrieve using 'openstack' command.
14:50:30 <yushiro> SarathMekala, 'neutron firewall-rule xxx' retrieve only fwaas-v1.
14:50:57 <SarathMekala> oh.. thanks.. I may need to restack with latest code
14:51:29 <njohnston> #topic Open Discussion
14:51:35 <njohnston> #link https://etherpad.openstack.org/p/neutron-ptg-pike If you are going to the Atlanta PTG, note your attendance here!
14:51:36 <yushiro> SridarK, njohnston, xgerman  I'd like to talk a little about bugs at openstack-fwaas.
14:51:47 <njohnston> yushiro: absolutely
14:51:58 <SridarK> yushiro: yes
14:52:11 <xgerman> I gotta run but will be back in an hour
14:52:16 <yushiro> njohnston, SridarK xgerman : Thanks
14:52:38 <xgerman> I like to have this policy thing resolved… armax is really throwing us a wrench
14:53:24 <xgerman> anyhow, gotta run… o/
14:53:30 <SridarK> xgerman: bye
14:53:34 <yushiro> xgerman, aha, OK.  bye!
14:54:06 <njohnston> Does anyone have anything else?
14:54:17 <SridarK> nothing else from me
14:54:53 <reedip_> same time next week ?? ( I forget when is FWaaS meeting  :( )
14:54:54 <yushiro> nothing.
14:54:56 <SarathMekala> I got pulled into some work and could not make progress on horizon
14:55:12 <SridarK> SarathMekala: no worries - it will be Pike anyways
14:55:12 <njohnston> reedip_: Yes, same time next week!
14:55:17 <chandanc_> SridarK, can we catchup on testing tomorrow ? i will need to be away today
14:55:22 <SarathMekala> oh ok
14:55:25 <SridarK> chandanc_: yes surely
14:55:26 <yushiro> reedip_, 14:00 UTC http://eavesdrop.openstack.org/#API_Working_Group
14:55:35 <chandanc_> SridarK, thanks
14:55:40 <SridarK> chandanc_: ur morning and pacific eve/night
14:55:49 <yushiro> reedip_, at #openstack-meeting-4
14:55:54 <chandanc_> sure
14:55:58 <chandanc_> will ping
14:56:07 <SridarK> chandanc_: or even in a couple of hours
14:56:07 <yushiro> I definitely hope I can go PTG :)
14:56:21 <SridarK> yushiro: u are still waiting on the travel ?
14:56:30 <chandanc_> will try, but cant promise :(
14:56:39 <reedip_> I also am on the hooks for the PTG
14:56:43 <yushiro> SridarK, yes
14:56:47 <SridarK> chandanc_: no prob ur morn for sure then
14:56:53 <chandanc_> sure
14:57:11 <SridarK> yes travel budgets are getting tighter
14:57:40 <njohnston> I will definitely be at Atlanta and whatever the enxt PTG is, but I probably will not be in Boston and Sydney, it turns out
14:58:07 <SridarK> njohnston: oh
14:58:13 <yushiro> oh... njohnston
14:58:44 <reedip_> I hope you do visit Sydney ...  :)
14:58:47 <SridarK> for us too each one is "kind of depends" ...
14:58:49 <njohnston> ravelling 4x a year is more than I can make happen it seems
14:59:03 <reedip_> I hope I do too :P
14:59:11 <yushiro> :)
14:59:12 <njohnston> reedip_: I agree!
14:59:18 <SridarK> it will be int to see how much the PTG model catches on
14:59:26 <SridarK> 1 min warning
14:59:42 <SridarK> all right folks thx for attending and have a great week
14:59:58 <SridarK> lets do the big push for L2
15:00:03 <njohnston> +100
15:00:05 <njohnston> OK, thanks everyone!
15:00:06 <yushiro> Yes definitely
15:00:08 <njohnston> #endmeeting